Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Buffer overflow with long fd numbers in redirects

X-seq: zsh-workers 33367
From: Axel Beckert <abe@xxxxxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: Buffer overflow with long fd numbers in redirects
Date: Mon, 6 Oct 2014 16:24:34 +0200
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAAAAAC3mUtaAAAABGdBTUEAALGPC/xhBQAAADh0RVh0U29mdHdhcmUAWFYgVmVyc2lvbiAzLjEwYSAgUmV2OiAxMi8yOS85NCAoUE5HIHBhdGNoIDEuMindFS5JAAACGElEQVQ4jXXQMU8UYRDG8f8shNjdDH4AbpfGDjAWlKiJiZ0ajL1aGCvsNCbGaCGG1koLaztaTYz6ATy+gOyehYmF3MxVxgg3FnDsHcTpJr/M+8w7Rf6nCsaVTTDqxbg9hoOXmw83H71+Eyfg4E1d7/Z2fG9rGkZbTQiu+K+3U/C+76lmkvAhJuDndnoAiftou4V84okAGclop4U/jYACZDTxrYWP0gkxVfAm/W//GLZpxIzwIN0Hn8dw0B+IWkZmQmRsj2HfhwokEklHfNCCiQCRgAR7YyhQVRVTCKCzP4Y5zBBE0t0zY3Q8oQaBqqAMlVEcgVQd9706zGirAFium8HXumlMIeMwqQCInju+2+uB6MRENupdpMt8pRlHZyuAW0F+Mb6XSIVqtxjD+iVmVqqystLEzFTGT92YqRaXpNT5eTVjeJhbALPnrTxLUZUKZsgxcNm64hAOYisT/xhF+oKTGU5RegtC3Rt6eEDi/QnIevdTx9Md2EMmYBRmCQR1026FCGQQJJExsRUqgkMGaWSbwYLnoO4T6VgpbQbdELPMBAHWWrhYrcxXnYgAsatPWygkFCBD4K62MAsOTqA6szYRPpsu6e6Y8mPiVrBMNuGIMrgwBUu4p2DgG1Ownu6hpuTv7hScefHAzAC/yRRw5U5pALMbJ4AUALvHSZhxgHPXTsHcdWD1GadAHr9avP+c0wCr7263Df8ASLwXWHWs+KIAAAAHdElNRQfYBQEBODPr
In-reply-to: <CAHYJk3QeCiKGuohbduaFa9cct48oL4c2+weEQKsWpr91EM_YkQ@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mail-followup-to: zsh-workers@xxxxxxx
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
Organization: DeuxChevaux.org -- The Citroën 2CV Database
References: <CAHYJk3QeCiKGuohbduaFa9cct48oL4c2+weEQKsWpr91EM_YkQ@mail.gmail.com>

Hi,

On Mon, Oct 06, 2014 at 04:00:44PM +0200, Mikael Magnusson wrote:
> Someone reported this on IRC the other day,
> % >&333333333333333333333
> zsh: number truncated after 20 digits: 333333333333333333333
> *** buffer overflow detected ***: zsh terminated
> 
> At least one place where this is mishandled is in exec.c around line 3215,

I can reproduce this in 5.0.6.

But I can't reproduce this in 4.3.17 as in Debian Wheezy. There it
looks exactly like this:

> Output with the patch,
> % >&333333333333333333333
> zsh: number truncated after 20 digits: 333333333333333333333
> zsh: 553997653: bad file descriptor

!518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44 
~ → echo $ZSH_VERSION
4.3.17
!518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44 
~ → >&333333333333333333333
zsh: number truncated after 20 digits: 333333333333333333333
zsh: 553997653: bad file descriptor
!519 Z8 ?1 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:50 
~ → 

So this issue probably crept in somewhen between 4.3.17 and 5.0.6.

		Kind regards, Axel
-- 
/~\  Plain Text Ribbon Campaign                   | Axel Beckert
\ /  Say No to HTML in E-Mail and News            | abe@xxxxxxxxxxxxxxx  (Mail)
 X   See http://www.nonhtmlmail.org/campaign.html | abe@xxxxxxxxx (Mail+Jabber)
/ \  I love long mails: http://email.is-not-s.ms/ | http://noone.org/abe/ (Web)

Follow-Ups:
- Re: Buffer overflow with long fd numbers in redirects
  - From: Bart Schaefer
- Re: Buffer overflow with long fd numbers in redirects
  - From: Mikael Magnusson

References:
- Buffer overflow with long fd numbers in redirects
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author